OpenStack Identity (keystone)

V3 Identity API: Remove unscoped tokens

Bug #1208640 reported by justinsb on 2013-08-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Opinion	Wishlist	Unassigned

Bug Description

In V3, unscoped tokens are rare, but still possible. A caller must specify neither a project nor a domain, and the user must not have a valid default project.

I think we should actually remove unscoped tokens entirely in V3, and return a domain token if the user does not specify a domain or project and has no valid default project. I don't see what we gain from distinguishing between a domain token vs an unscoped user token (which implicity has a domain, because a user has a domain).

In short, currently we fall back to an unscoped token if no domain & project is specified and the user does not have a valid default project. That seems to be the only way to get an unscoped token. Instead, we should return a domain token.

This would also ensure compatibility with V2 (filed as a related bug). We would essentially be renaming an unscoped token to be a domain token. Unscoped tokens always identified a domain, because every token identified a user, and every user identified a domain.

Revision history for this message

Haneef Ali (haneef) wrote on 2013-08-06:

If I understood correctly

Unscoped token : Token scoped to users domain
Domain token : Token scoped to cross domain ( some other domain)
Project token : Token scoped to domain

Revision history for this message

justinsb (justin-fathomdb) wrote on 2013-08-07:

Are you summarizing the suggestion Haneef, or summarizing what is currently implemented? I think it's the former. A TLDR of my proposal is a good idea... here goes:

* A project token remains scoped to a project, as in V2
* V3 introduces domain tokens, which are scoped to a domain
* We remove unscoped tokens from V3
* In the rare case where you would get an unscoped token in V3, you get a domain token instead.
* When a V2 client requests an unscoped token, they just get a domain token instead. V2 clients can't tell the difference.

Dolph Mathews (dolph) on 2013-08-20

Changed in keystone:
importance:	Undecided → Wishlist
status:	New → Opinion

Revision history for this message

justinsb (justin-fathomdb) wrote on 2013-08-20:

OK, so there are two issues here. There's no documented purpose for unscoped tokens that I can see. I've taken that to its logical conclusion, and proposed that we just drop them, but that is only one proposed solution.

As Launchpad doesn't have a nice way to triage the two issues separately, I've opened bug #1214570 to track the lack of purpose. (And this bug can be used to track a proposed solution, if we do decide in that bug that unscoped tokens are purposeless)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.